You are apparently confusing IP spoofing with session hijacking.
IP spoofing is simply forging the IP addresses in an IP packet. This is used in many types of "attacks" including session hijacking. It is also often used to fake the e-mail headers of SPAM so they cannot be properly traced.
Session hijacking occurs at the TCP level. According to Internet Security Systems, "TCP session hijacking is when a hacker takes over a TCP session between two machines. Since most authentication only occurs at the start of a TCP session, this allows the hacker to gain access to a machine."
For more information on session hijacking and other TCP Exploits, please visit Internet Security Systems. The definition I quoted above came from that page, and there are references to other papers, including one that explains IP spoofing.
As for how and where it can be done, if your connections are vulnerable, it can be done over the Internet. The attacker does not need to be directly in your path, though that does simplify things.
For more information on this topic, visit these other SearchSecurity.com resources:
Best Web Links: Common vulnerabilities and prevention tips
WhatIs.com Definition: E-mail spoofing
This was first published in August 2002